Hi @AliMaher , as also @PickleRick and @richgalloway said, the correct reference hardware and the number of SHs depends not only on the number of active users but mainly on the number of searches th...
See more...
Hi @AliMaher , as also @PickleRick and @richgalloway said, the correct reference hardware and the number of SHs depends not only on the number of active users but mainly on the number of searches that you have in your infrastructure, with special attention to scheduled searches. In addition it depends also on the presence of Premium Apps like Enterprise Security or ITSI that use many scheduled searches. You can monitor the load on the SH using the Monitoring Console: if the load on the SH is too high, you can think to add another SH or increase the reference hardware (CPUs). The use of a Cluster depends on if you have the requirement of HA or not, not on the load on SH. In addition, when you monitor the performances of your infrastructure, remember to monitor also the load on Indexers because all the searches from SHs arrive on Indexers: you can monitor Indexers performaces using still the Monitoring Console. Anyway, the best approach is to analyze the requirements, in terms di indexed logs, scheduled searces, active users and presence of Premium Apps with a Splunk Architect that can design the best architecture for your infrastructure. Ciao. Giuseppe